Village-Level Entrepreneur reported data theft to authority, no one took heed

Rachna Khaira

Thirty-two-year-old Bharat Bhushan Gupta is the man who reported the matter of illegitimate Aadhaar data access to The Tribune, which was followed up by the paper with an investigation of its own, aided by this whistleblower. However, he had first attempted to take an even more appropriate channel, approaching the UIDAI.

The Jalandhar-based Village-Level Entrepreneur (VLE) was on December 29 lured into buying access to the data by people who approached him on WhatsApp. But the moment he tried to check if the access worked by entering his own Aadhaar number and those of a few of his friends, he realised the information that showed up on the screen was more than he should be authorised to get. He could figure that out as he was a VLE who previously had legal access to Aadhaar data, but to a limited extent.

Gupta pondered over the matter for a couple of days, and decided to report. He dialled the toll-free helpline number, 1947, of the Unique Identification Authority of India (UIDAI). “I called up twice, but could only connect to an operator, who was unable to understand my concern. I told her since it was a technical and sensitive matter, she should put me through to a senior. She said no official was available in that office,” Gupta said.

Not getting a response from the UIDAI, he approached The Tribune correspondent, who, with Gupta’s assistance, approached the Aadhaar access sellers on WhatsApp and purchased another login in the name of ‘Anamika’.

This facilitated unrestricted access to personal details of Aadhaar number holders, as reported by The Tribune on Thursday. Why did the anonymous group target only VLEs? According to Gupta, it was a ready database of experienced people who had already worked with Aadhaar. They were lured into purchasing the access as their business had been interrupted, rendering them jobless.

“While the government had provided some VLE equipment free of cost, the majority of us had to pay up to Rs 3 lakh to representatives of the empanelment agencies assigned the task to set up the facilities. While I received the facility in January 2016, it became active in March, and was withdrawn in October, just before Diwali,” alleged Gupta, adding that many VLEs were hand-to-mouth and were unable to pay the instalments for the loans taken for the equipment.

“The offer to get full access to Aadhaar data for just Rs 500 was tempting to them, it would help them restart their business. While the government had specified Rs 20 for the printing of a card, they could charge anything from Rs 100 to 150 on the black market,” Bhushan claimed.

Right now, Gupta is being subjected to questioning by the police, but he is undaunted. “I am proud that I have managed to save the data of millions of Indians by reporting this issue,” Gupta said, sitting in his small shop in Rama Mandi area of Jalandhar.

Aadhaar breach: Gaping holes in data security and the unreliability of biometrics put a question mark on the project. UIDAI’s denials are increasingly unconvincing1.

Aadhaar breach: The UIDAI admitted this had happened, but said “that was not us”, the database is safe. Then they began to threaten those who exposed the leaks with criminal action. (Illustration by Subrata Dhar)Does it really not matter at all that the personal details of a billion people, including their name, address, gender, date of birth, parents’ names, possibly bank account number, mobile number, email address and photo have been exposed by anonymous sellers? Is the only thing valuable in the UID (unique identification) database the biometric data? If the demographic data is so easy to reach, how do we know the biometric data is safe?

The explosive report in The Tribune on January 4, which revealed the gaping holes in the security of the database, has provoked the predictable response from the Unique Identification Authority of India (UIDAI) — denial. The reporter explains the few simple and swift steps she had to take, and the Rs 500 she had to pay, to access a billion identities on the UID database. The UIDAI says this is “misreporting”, and what happened is not a breach — that the database is safe and secure. And that they will take legal action against those involved in the case — an implicit admission amidst much denial.

The leaks, breaches and misuses have become too frequent for the denial to be convincing.

The leaks have not been either sparse or rare. Among the ones that hit the headlines, with large numbers affected by the breach: In November 2017, 210 government websites and those of educational institutions displayed personal information along with UID numbers. The UIDAI admitted this had happened, but said “that was not us”, the database is safe. Then they began to threaten those who exposed the leaks with criminal action. In December 2017, it was discovered that Airtel had opened bank accounts in a payments bank that they had launched; and it had seemingly done that by fudging consent, procured while verifying sim cards. When people began complaining that they were not receiving their subsidies, the latter were traced to an Airtel account that customers did not even know had been opened for them. Now, this.

Some things have become clear over time. One, that the UID project is not just about the UIDAI. The UIDAI is certainly an important part of the project, but the project seeks to achieve ubiquity and universality and, in doing that, it involves private businesses. The Aadhaar Act 2016 does not permit private companies to mandate the use of the UID. So, the government uses its licencing powers to mandate that mobile companies and banks coerce mobile users into submission. Ever since the first MoUs between the UIDAI and various state governments, according to which the state governments were to act as registrars for the UID, the agreement was that the enrolment would include information that the UIDAI wanted for its database (KYR, or Know Your Resident) and anything additional that the government may collect (KYR+). Together, they were to become a means of getting a 360-degree view of people and communities. These now are the State Resident Data Hubs. They also come in various shapes and sizes. In Haryana, for instance, it is the Jan Kalyan and Suraksha Survey that captures every detail of every household, and of each individual in every household. See this to get an idea of how much the government wants to know you.

Ubiquity is achieved through mandating, either lawfully or otherwise, the inclusion of the UID number in every database. Hundreds of notifications, circulars, letters of instruction and many more such instruments compel people to get on the UID database, and to leave their “digital footprint” everywhere. Coercion was expected to help achieve universality — that is, everyone would be in the database. The “architecture” or “ecology” of the UID project involves leaving these digital footprints, by the use of state power and force if needed (and it has indeed been needed — people haven’t been happy to enrol, they have largely had to be pushed to the enrolment stations and also to the many, many other databases such as schools, hospitals, voter ID, ration, LPG, etc).

The UIDAI goes on about how biometrics are safe and out of reach. The truth is, biometrics are collapsing all round. The figures for biometric failure have been staggering. In Rajasthan, in the PDS, exclusion because of fingerprint failure has been close to 36 per cent — which means not even one person from 36 per cent households are able to authenticate using their fingerprints. Jharkhand has witnessed deaths because the poorest have had difficulty linking their UID number with their ration card. Documents in the UIDAI archive from between 2009 and 2012 show that biometrics was still in an experimental phase. That biometrics are not working as hoped is made evident in the Watal Committee report on digital transactions, in December 2016. At pp. 123-124, the committee says that biometric authentication requires the availability of internet and high-quality machines capable of capturing biometric details, making it contingent on these working. So, the committee asks that for digital transactions, the “OTP sent on registered mobile number of Aadhaar holder” be allowed, thereby downgrading biometrics.

Digital payments are in the business interest; not PDS. So, while fingerprints cause huge problems to the poor, the business interest shifts to other means because biometrics are not dependable.

The mantra has, in fact, been JAM — Jan Dhan, Aadhaar, mobile — three numbers that make up identity. It was in 2010 that Nandan Nilekani said to a reporter: “The slogan of “bijli, sadak, paani” is passé; ‘virtual things’ like UID number, bank account and mobile phone are the in-thing.” That is the imagination that is driving the project today. It is these three numbers that are being exposed in the breaches. Then, to say that all is well is clearly not quite the truth.

The project is putting people, and the nation, at risk. Those in court challenging the project have been demanding that the project be scrapped — not just the UIDAI, but the project. The breaches explain why what they are asking makes sense.

The FIR also names Anil Kumar, Sunil Kumar and Raj, all of whom were mentioned in The Tribune report as people Khaira contacted in the course of her reporting.

Joint Commissioner of Police (Crime Branch) Alok Kumar confirmed that an FIR had been registered and an investigation launched. The FIR has been lodged with the Crime Branch’s cyber cell under IPC Sections 419 (punishment for cheating by impersonation), 420 (cheating), 468 (forgery) and 471 (using as genuine a forged document), as well Section 66 of the IT Act and Section 36/37 of the Aadhaar Act.

When contacted, The Tribune’s editor-in-chief Harish Khare refused to comment on the FIR. In the FIR, the complainant, B M Patnaik, who works with UIDAI’s logistics and grievance redressal department, states: “An input has been received through The Tribune dated January 3, 2018, that the ‘The Tribune purchased’ a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.”

The FIR details how the reporter got in touch with the other persons named in the FIR and goes on to state: “The above-mentioned persons have unauthorisedly accessed the Aadhaar ecosystem in connivance of the criminal conspiracy… The act of the aforesaid involved persons is in violation of (the various sections mentioned in the FIR)… Hence, an FIR needs to be filed at the cyber cell for the said violation.”

The UIDAI’s media unit did not respond to calls and texts from The Sunday Express. The UIDAI CEO, when contacted, said he was in a meeting. The Tribune report, dated January 3, had stated: “It took just Rs 500, paid through Paytm, and 10 minutes in which an ‘agent’ of the group running the racket created a ‘gateway’ for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.”

Late on Saturday, UIDAI’s Chandigarh regional office, wrote to The Tribune’s Editor-in-Chief, asking if “was at all possible for your correspondent to view or obtain Fingerprints and Iris scan of any person through the aforesaid access to UIDAI portal” and “how many Aadhaar numbers did the correspondent actually enter through the said login user id and password and whom did those Aadhaar numbers belong to”. The letter asked for these details to be sent by January 8, “failing which it will be presumed that there was no access to any Fingerprints and/or Iris scan”.

After the report appeared, the UIDAI had in a statement said that there “has not been any Aadhaar data breach”.
“The Aadhaar data, including biometric information, is fully safe and secure,” it had said, adding, “There has not been any data breach of the biometric database, which remains fully safe and secure with the highest encryption at UIDAI and a mere display of demographic information cannot be misused without biometrics.”

On Friday, Dalit activist Vaibhav Chhaya, who has over 10,000 followers on Facebook, uploaded a photograph of a man waving from the grilled window of a police van. Tagged simply “Rahul Pradhan”, the image has garnered over 300 reactions and provoked comments like, “You can’t keep a tiger locked in a cage for long”. A member of the Yuva Panthers, Pradhan was arrested in Nanded city on Wednesday on a host of charges including rioting and criminal conspiracy and endangering the life or personal safety of others. Dalit activists insist he was framed when he tried to visit the family of the 16-year-old boy who died in the riots on Wednesday. He was released on bail on Thursday, only to be re-arrested by the Shivaji Nagar police while leaving the court premises. “The police were scared that if he reached the spot where the teenager was killed, he would reveal what had really happened,” says Chhaya.

In order to broadcast this version of events, Chhaya turned to social media platforms, which he claims have started playing a larger role in Dalit agitations. “The mainstream media ignores the issues faced by scheduled castes and tribes so most of us have stopped reading the paper,” he says. “For the Ambedkarite movement, social media is our social capital because it keeps us connected to one another.” Since the Koregaon Bhima riot on January 1, Chhaya has used social media to offer food, shelter and medical assistance to those in need, help Dalits who lost their belongings or whose vehicles were burnt, reach home safely, coordinate different groups during the bandh, and arrange legal representation for arrested protesters. He started a crowdfunding campaign — and broadcast live on Facebook — to thank people for the Rs 35,900 raised to help get Pradhan and others out of jail.

Political analyst Surendra Jondhale has seen an uptick in the use of social media by Dalit activists in the last five years. He says that even before violence broke out in Bhima-Koregaon, social media was buzzing with information about the bicentenary of the battle, the importance of attending the rally and the significance of the memorial. “Social media is being used to spread propaganda and mobilize the Dalit masses,” he explains. According to Jondhale, the downside is that social media forwards and posts often lack historical accuracy, context and diverse perspectives, which is why he is conflicted on whether the authorities should resort to suspending mobile and internet services like they did in Aurangabad on January 3. “It depends on the motive,” he explains. “If the motive is to clamp down on freedom of expression that is bad, but if it is to prevent rumours from being spread that is good.”

Sometimes activists use social media to raise awareness about a crime that might remain unreported. Dalit activist Laxman Gaikwad used Facebook to draw attention to the alleged murder of two tribal sisters and their father in Hingoli district. The police claimed that the girls and their father drowned by accident, but when activists investigated the incident, they came to believe that the three had been murdered. “I wrote about the incident on Facebook. This prompted a Lokmat journalist to visit the site and do a story,” says Gaikwad.

The Indian startup ecosystem needs to address the harassment issue as a matter of urgency now

Time’s up, reportedly, for a well-known high profile evangelist and investor in the Indian startup ecosystem. A police case has been registered against his alleged sexual harassment of women who have approached him for advice. This is providing a much-needed opportunity for reflection and corrective action in the male-dominated startup ecosystem in India. The opportunity should be taken.

First things first, it must be understood that sexual harassment is not a crime of sexual passion or sexual desire, but of power imbalance.

A founder, with dreams in her eyes, but no money in her pocket, will seek both investment and advice to realise her dreams. She should be able to do so without fear of being harassed or raped. A young professional, seeking to join in the building of another founder’s dream, should be able to do so too without fear of being harassed or raped.

The power imbalance that exists in these situations emboldens the person who perceives even a slight power advantage and is not above abusing it. Historically, that advantage has benefited men, including in India where the wealthiest 1 percent own 58 percent of the country’s wealth.

Mahesh Murthy, Co Founder, Seedfund

Recent figures show not much has changed as women founder-led startups in India received just 2 percent of startup funding in 2017. A Randstad Workmonitor survey found that nearly 83 percent of the Indian workforce has entrepreneurial ambition. With investable wealth disproportionately in the hands of a few, this power imbalance is not likely to tilt naturally to some semblance of fairness. In other words, startups need intent and action to change this situation.

What can startups do to ensure they do not foster a toxic environment for women and other minorities? The short answer is — plenty.

Founders should think of inclusive organisational design and the values underpinning the enterprise right at the beginning. Bringing in early advisers and mentors, who represent diversity of gender, schools attended, business experience, not to mention in the Indian context, caste, and religion, helps create the right foundation. No time to think about values and such stuff? Well then, expect that the empire you create may be destroyed by the very same lack of values.

Further, the startup should consider adding one or more independent directors to its board. These board directors should be experienced with governance and help shape the scaffold for future growth. This scaffold would comprise shaping the right culture — where the workplace does not tolerate harassing language or actions towards anyone — and instituting the right redressal mechanisms — including but not limited to the precepts of the Vishakha Guidelines.

Good governance also provides a competitive advantage in the long run, as the startup with a good reputation will attract a wider range of potential employees, and deliver better for its investors. Reputation is important because let’s not forget that the grapevine talks about things long before they become bad headline news. Investors should also find the prospect of a healthy culture and attendant successes attractive.

The argument often proffered to dismiss this advice is that startups do not have time to do all this, especially in the early days. To that I say, having seen enough failed startups, if you do not have the time to do some things right the first time, you will never have time to keep doing them over and over especially as other things related to growth consume your attention.

A March 2017 World Bank report noted that over the last 25 years in India, the workforce participation of college-educated women (alongside illiterate women) has fallen by over 11 percent placing India just above the Arab World and Pakistan, and way behind developed nations. An ambitious nation such as India cannot afford to let half its human capital wealth go to waste. Addressing harassment in the workplace is an essential step towards ensuring that waste does not happen.

The Indian startup ecosystem needs to address the harassment issue as a matter of urgency now